openstack-keystone服务

文章目录

  • keystone服务
  • 安装和配置
    • 先决条件
    • 安装并配置组件
      • 运行以下命令来安装包。
      • 编辑文件 /etc/keystone/keystone.conf 并完成如下动作:
      • 初始化身份认证服务的数据库:
      • 初始化Fernet keys:
      • Bootstrap the Identity service:
    • 配置 Apache HTTP 服务器
    • Create a link to the /usr/share/keystone/wsgi-keystone.conf file:
    • 完成安装
  • Create a domain, projects, users, and roles
    • 创建域
    • 创建项目
    • Create the myproject project:
    • Create the myuser user:
    • Create the myrole role:
    • Add the myrole role to the myproject project and myuser user:
  • 验证操作
  • 清除临时环境变量OS_AUTH_URL and OS_PASSWORD
    • As the myuser user created in the previous section, request an authentication token:
  • 创建 OpenStack 客户端环境脚本
    • 创建脚本
    • 使用脚本
    • 加载``admin-openrc``文件来身份认证服务的环境变量位置和``admin``项目和用户证书:
      • 请求认证令牌:

keystone服务

在控制节点

安装和配置

先决条件

在你配置 OpenStack 身份认证服务前,你必须创建一个数据库和管理员令牌。

完成下面的步骤以创建数据库:

用数据库连接客户端以 root 用户连接到数据库服务器:

$ mysql -u root -p

创建 keystone 数据库:

 CREATE DATABASE keystone;

keystone数据库授予恰当的权限:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
[root@controller ~]# mysql -u root -p
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.20-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.009 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
    -> IDENTIFIED BY 'zmd_9001';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
    -> IDENTIFIED BY 'zmd_9001';
Query OK, 0 rows affected (0.001 sec)


安装并配置组件

运行以下命令来安装包。

# yum -y install openstack-keystone httpd mod_wsgi

提前要关闭selinux和firewalld,否则后面有的服务没有相应

编辑文件 /etc/keystone/keystone.conf 并完成如下动作:

在 [database] 部分,配置数据库访问:

[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

KEYSTONE_DBPASS替换为你为数据库选择的密码。

[token]部分,配置Fernet UUID令牌的提供者。

[token]
# ...
provider = fernet

初始化身份认证服务的数据库:

# su -s /bin/sh -c "keystone-manage db_sync" keystone

注解

忽略输出中任何不推荐使用的信息。

初始化Fernet keys:

 keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
 keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Bootstrap the Identity service:

# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
  --bootstrap-admin-url http://controller:5000/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne

配置 Apache HTTP 服务器

编辑/etc/httpd/conf/httpd.conf 文件,配置ServerName 选项为控制节点:

ServerName controller

Create a link to the /usr/share/keystone/wsgi-keystone.conf file:

# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

完成安装

启动 Apache HTTP 服务并配置其随系统启动:

 systemctl enable httpd.service
 systemctl start httpd.service

报错

[root@controller ~]# journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
331 15:45:55 controller httpd[1692]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000
331 15:45:55 controller httpd[1692]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:5000
331 15:45:55 controller httpd[1692]: no listening sockets available, shutting down
331 15:45:55 controller httpd[1692]: AH00015: Unable to open logs
331 15:45:55 controller systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
331 15:45:55 controller systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.

selinux限制了端口,关闭selinux或其他方法。

Configure the administrative account by setting the proper environmental variables:

$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:5000/v3
$ export OS_IDENTITY_API_VERSION=3

Create a domain, projects, users, and roles

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects, users, and roles.
认证服务为openstack服务提供认证服务,认证服务使用了域,项目,用户和角色的组合。

Although the “default” domain already exists from the keystone-manage bootstrap step in this guide, a formal way to create a new domain would be:

创建域

$ openstack domain create --description "An Example Domain" example

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | 2f4f80574fd84fe6ba9067228ae0a50c |
| name        | example                          |
| tags        | []                               |
+-------------+----------------------------------+

报错

[root@controller ~]# openstack domain create --description "An Example Domain" example
Missing value auth-url required for auth plugin password

因为重启了系统,没有保存环境变量。
重新执行下上面的环境变量设置。

[root@controller ~]# openstack domain create --description "An Example Domain" example
Missing value auth-url required for auth plugin password
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller ~]#  export OS_USERNAME=admin
[root@controller ~]#  export OS_PASSWORD=****
[root@controller ~]#  export OS_PROJECT_NAME=admin
[root@controller ~]#  export OS_USER_DOMAIN_NAME=Default
[root@controller ~]#  export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]#  export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]#  export OS_IDENTITY_API_VERSION=3
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | cb1f7e9a4809438cb4a0f968760307f0 |
| name        | example                          |
| options     | {}                               |
| tags        | []                               |
+-------------+----------------------------------+

创建项目

This guide uses a service project that contains a unique user for each service that you add to your environment. Create the service project:

$ openstack project create --domain default \
  --description "Service Project" service

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

执行结果

[root@controller ~]#  export OS_USERNAME=admin
[root@controller ~]#  export OS_PASSWORD=zmd_9001
[root@controller ~]#  export OS_PROJECT_NAME=admin
[root@controller ~]#  export OS_USER_DOMAIN_NAME=Default
[root@controller ~]#  export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]#  export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]#  export OS_IDENTITY_API_VERSION=3
[root@controller ~]# openstack project create --domain default \
>   --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | cfd7929faa4d456ba0633f4934ed0106 |
| is_domain   | False                            |
| name        | service                          |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the myproject project and myuser user.

Create the myproject project:

$ openstack project create --domain default \
  --description "Demo Project" myproject

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain   | False                            |
| name        | myproject                        |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

结果

[root@controller ~]# openstack project create --domain default \
>   --description "Demo Project" myproject
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | d33724f9baf9444e9622d102d9541826 |
| is_domain   | False                            |
| name        | myproject                        |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

Create the myuser user:

$ openstack user create --domain default \
  --password-prompt myuser

User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | aeda23aa78f44e859900e22c24817832 |
| name                | myuser                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

结果

[root@controller ~]# openstack user create --domain default \
>   --password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 62623ccda6ce4e4c82b10cd51521aad8 |
| name                | myuser                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
[root@controller ~]#

Create the myrole role:

$ openstack role create myrole

+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 997ce8d05fc143ac97d83fdfb5998552 |
| name      | myrole                           |
+-----------+----------------------------------+

结果

[root@controller ~]# openstack role create myrole
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | dea0722037a346b9a5dc790e39b0d017 |
| name        | myrole                           |
| options     | {}                               |
+-------------+----------------------------------+

Add the myrole role to the myproject project and myuser user:

$ openstack role add --project myproject --user myuser myrole

这个没有显示

验证操作

在控制节点操作

查询下刚刚建立的元素

[root@controller ~]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID                               | Name    | Enabled | Description        |
+----------------------------------+---------+---------+--------------------+
| cb1f7e9a4809438cb4a0f968760307f0 | example | True    | An Example Domain  |
| default                          | Default | True    | The default domain |
+----------------------------------+---------+---------+--------------------+
[root@controller ~]# openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 0d6def14a0df408f8834bd82065856a5 | member |
| 5feb9c7b483b46cf897af25ba7d8fa5a | reader |
| db335b47ae26492e9da33881087e80c6 | admin  |
| dea0722037a346b9a5dc790e39b0d017 | myrole |
+----------------------------------+--------+
[root@controller ~]# openstack user list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| a6a881a6089843b9999b2a0a7397c5d7 | admin  |
| 62623ccda6ce4e4c82b10cd51521aad8 | myuser |
+----------------------------------+--------+
[root@controller ~]# openstack project list
+----------------------------------+-----------+
| ID                               | Name      |
+----------------------------------+-----------+
| cfd7929faa4d456ba0633f4934ed0106 | service   |
| d33724f9baf9444e9622d102d9541826 | myproject |
| faf1dd393fae450b8afc29ebc9d9b6d1 | admin     |
+----------------------------------+-----------+

清除临时环境变量OS_AUTH_URL and OS_PASSWORD

$ unset OS_AUTH_URL OS_PASSWORD

As the admin user, request an authentication token:
创建token
作为 admin 用户,请求认证令牌:

$ openstack --os-auth-url http://controller:5000/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name admin --os-username admin token issue

Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:14:07.056119Z                                     |
| id         | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|            | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|            | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws       |
| project_id | 343d245e850143a096806dfaefa9afdc                                |
| user_id    | ac3377633149401296f6c0d92d79dc16                                |
+------------+-----------------------------------------------------------------+

结果

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
>   --os-project-domain-name Default --os-user-domain-name Default \
>   --os-project-name admin --os-username admin token issue
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2022-04-01T01:32:29+0000                                                                                                                                                                |
| id         | gAAAAABiRkgdBWiaVeJI1DK2y6qn_MMoSXFrDuXg4eMxm6Dm7ip3MeaLuQGmXU69MZX3yW-0H8QzUvCNQJykAes0dD_2KQvkeKS9LSWacXEer-JJXw4rXj4riEnnjUYVdHIygcuwm4Yz_RPPaLHVgl23NpGomVEmGUqQDRkeKyWTsk_vSJG0XYU |
| project_id | faf1dd393fae450b8afc29ebc9d9b6d1                                                                                                                                                        |
| user_id    | a6a881a6089843b9999b2a0a7397c5d7                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

As the myuser user created in the previous section, request an authentication token:

作为myuser 用户,请求认证令牌:

$ openstack --os-auth-url http://controller:5000/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name myproject --os-username myuser token issue

Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:15:39.014479Z                                     |
| id         | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
|            | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
|            | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U       |
| project_id | ed0b60bf607743088218b0a533d5943f                                |
| user_id    | 58126687cbcc4888bfa9ab73a2256f27                                |
+------------+-----------------------------------------------------------------+

结果

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
>   --os-project-domain-name Default --os-user-domain-name Default \
>   --os-project-name myproject --os-username myuser token issue
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2022-04-01T01:40:47+0000                                                                                                                                                                |
| id         | gAAAAABiRkoPRFjUYIYNYAvfIiisvt-Xefaf3pa6rGcFBsUAic83cz2rwRvsp1LRvYu-sCB4VgpPs5OXtnj9oBrFiinRcJ56_lIfBFJPRtHu5wxxx3kCrE8VlriDHgakxDKvC731s9jLoubX_KU55PUirZ2YHNMx-O79O-58FmkgP1BMJRMAoNg |
| project_id | d33724f9baf9444e9622d102d9541826                                                                                                                                                        |
| user_id    | 62623ccda6ce4e4c82b10cd51521aad8                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

创建 OpenStack 客户端环境脚本

前一节中使用环境变量和命令选项的组合通过openstack客户端与身份认证服务交互。为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件。这些脚本通常包含客户端所有常见的选项,当然也支持独特的选项

创建脚本

创建 admin 和 demo项目和用户创建客户端环境变量脚本。本指南的接下来的部分会引用这些脚本,为客户端操作加载合适的的凭证
这个脚本可以放在任何一个安全和方便拿到的位置。
编辑文件 admin-openrc 并添加如下内容:

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Replace ADMIN_PASS with the password you chose for the admin user in the Identity service.

Create and edit the demo-openrc file and add the following content:

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Replace DEMO_PASS with the password you chose for the demo user in the Identity service.

使用脚本

使用特定租户和用户运行客户端,你可以在运行之前简单地加载相关客户端脚本。例如:

加载admin-openrc文件来身份认证服务的环境变量位置和admin项目和用户证书:

$ . admin-openrc

请求认证令牌:

$ openstack token issue
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:44:35.659723Z                                     |
| id         | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
|            | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
|            | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E       |
| project_id | 343d245e850143a096806dfaefa9afdc                                |
| user_id    | ac3377633149401296f6c0d92d79dc16                                |
+------------+-----------------------------------------------------------------+

结果

[root@controller ~]# . admin-openrc
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------                      ------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                                         |
+------------+-----------------------------------------------------------------------------------------------------------------------                      ------------------------------------------------------------------+
| expires    | 2022-04-01T02:10:47+0000                                                                                                                                                                                      |
| id         | gAAAAABiRlEXe5-Tt9lKrrqOxMKBsj2m3vptBTO_nMIum7FxZ1BbK0wgNYJ-cg2bHKWJMzqiNjkBduvxECFvbRB2QM6oQsdgzr1p49wRMM7DxrqTE_iQin                      C9i2fQAbtzsA3Wdnt32_y-3yGtuKOWWBDGJPbQU12RJlmqv1roLApFyBFVOydW_i4 |
| project_id | faf1dd393fae450b8afc29ebc9d9b6d1                                                                                                                                                                              |
| user_id    | a6a881a6089843b9999b2a0a7397c5d7                                                                                                                                                                              |
+------------+-----------------------------------------------------------------------------------------------------------------------                      ------------------------------------------------------------------+

每请求一次获得一个不同的token

你可能感兴趣的:(openstack,openstack)